If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

strEscaped is not changed in your code. So for example the first time u make newstrchanged it might have the value of strEscaped with no quotes. The second time u make newstrchanged, it will still have quotes, but might not have single-quotes. The reason it still has quotes is because strEscaped isn't changed. The third time newstrchanged should still have quotes and apostrophes, but shouldn't have colons (unicode 003A). So.. That won't work as you expect, but it works as you describe. Here

Really, that regex shouldn't work to remove more than one thing. When you use the '^' as the first token, it means the string starts with. Are you trying to say "If the string starts with a quote, remove the quote? I think you meant to remove all quotes from the string- seeing as you used 'g' flag. In regular expressions you compare the unicode value using the '\uXXXX' token. So you want these regular expressions and this code:

But that kind of escaping is known as "black-listing" which isn't very secure- as people can find ways to fill cracks that the blacklist didn't think of. White-listing is the opposite. A white-list is a list of allowed characters. For example, if a username only should have letters numbers and underscores, this is the regex to assure that:

Note that '^' when used as the first character inside of the square-brackets [ ], then the '^' changes the character match to anything EXCEPT what is in the brackets [ ]. When '^' is used as the first character in a regular expression in general, though, it means the string must start with the following character(s) in order to match.
We can drop the 'i' and the ranges because we can target 'word-characters' and 'digits' instead. \w contains upper-case letters, so we no longer need the 'i' (which means 'case-insensitive') if we choose to use the following regex to match illegal user-name chars:

Code:

/[^\w\d_]/g

So, I don't know what you're doing, but white-listing is probably a better idea from what it looks like.

Black-List: Allow everything except those in the exception list.
White-List: Block everything except those in the exception list.

So, it's easy to tell which is more secure. If you block everything by default, you only need to narrow what should be allowed- which is easier to do- but still, like anything simple, can become complex.

A concept (such as white-listing or black-listing) does not guarantee security. It only helps.